Microsoft CEO Brad Smith acknowledges mistakes made regarding security
Brad Smith, the president of Microsoft, has admitted that Microsoft has made mistakes regarding the security of its products. He said this during a hearing of the US Homeland Security Committee.
Brad Smith is by Commission called to account due to a cyber attack in 2023, writes IT Daily. Last year, Chinese hackers managed to break into email accounts of various companies, Western European governments and the US government via Microsoft Exchange Online. In April, the US stated in a report that Microsoft could have prevented that attack. Smith must now answer for this on behalf of Microsoft.
In a written testimony Prior to the hearing, Smith said that Microsoft accepts responsibility for the problems identified by the US “without any doubt or hesitation.” He also writes that Microsoft is working to adopt all recommendations from the report and work on eighteen other security objectives. During the hearing, Smith again acknowledged that the company failed in this incident.
Criticism of SolarWinds attack
Earlier this week, more criticism emerged of Microsoft's actions in the field of security. ProPublica on Thursday published a testimonial from former Microsoft employee Andrew Harris, who worked on the company's security team until 2020. Harris argues that Microsoft played a questionable role in the 2020 SolarWinds attack.
The former employee said he discovered a potentially serious vulnerability in Azure AD FS in 2016, which allows logging in to the Azure cloud. According to Harris, attackers could exploit the vulnerability to break into customers' cloud environments through an on-premises server. However, Microsoft was afraid at the time that admitting the vulnerability would damage the reputation of its then relatively new cloud division, so it was covered up, Harris says. For years, the former employee tried to get Microsoft to fix the bug, but nothing was done.
In August 2020, Harris moved to CrowdStrike, just months before the SolarWinds attack. That attack exploited the flaw Harris had already found in 2016, according to ProPublica. Smith already had to answer for the SolarWinds attack in 2021, but he said at the time that no vulnerability in Microsoft products or services was exploited for that attack.